[Wenchie]

from Trend Micro Weekly Virus Report
Date: June 13, 2003

Quote:

2. P2P and Email - WORM_MAPSON.A (Low Risk)
WORM_MAPSON.A is a non-destructive worm that spreads via peer-to-peer file-sharing networks and via email. Its non-destructive payload displays two message boxes when the infected system’s month is equal to July. This worm runs on Windows 95, 98, NT, ME, 2000, and XP.

Upon execution this worm drops a copy of itself in the Windows system directory, using any of several specific file names. It also drops the file LORRAINE.HTA in C:\ or the root directory of drive C, and executes it on the 4th day of every month. When this compiled HTML file is opened, it displays a message box.

To propagate via email, the worm connects to the SMTP server mx1.hotmail.com. It gathers its target email addresses from an infected user’s MSN contact list, and sends email (in English or Spanish) with one of 15 possible “From:” fields, one of 61 possible subject lines, one of 61 possible message bodies, and one of 62 possible attachments.

For peer-to-peer network propagation, this worm queries the registry for the path of the Program Files folder and then appends specific strings as a way of guessing the path of the peer-to-peer application shared folders. It then drops copies of itself in the P2P shared folders, using one of 22 possible file names.